DNSPROXY and FQDN address refresh behaviours - PANOS 9.0 and Above
36795
Created On 01/22/20 02:38 AM - Last Modified 02/22/22 09:53 AM
Symptom
This document explains the FQDN Address object and DNSProxy refresh behaviours on PANOS 9.0 and above versions.
Please read the below document to understand the enhancement made in PANOS version 9.0 for FQDN refresh.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/networking-features/fqdn-refresh-response.html
This document also explains the result of having DNS servers on the firewall set to DNSProxy Object.
Environment
Topology :
Assumptions :
PA firewall is running PANOS version 9.0 and above.
Host A is configured to use Trust Interface IP of the PA firewall as its DNS server.
server-a.com resolves to 10.10.10.1.
server-b.com resolves to 10.10.10.3.
The DNS returned TTL value for both URLs above is 120 Seconds.
An address object "ServerA" is configured for FQDN server-a.com on the firewall.
Security Policy Rule "SecPolicyServerA" uses Address object "Server A" as destination.
Note : server-b.com is not configured as address object on the firewall.
Cause
DNSProxy Caches :
As a result of the enhancement implemented in PANOS 9.0 for FQDN, the FQDN address object cache is now integrated with the dnsproxy functionality.
The FQDN address cache is now under dnsproxy (Name: mgmt-obj).
> show dns-proxy cache all
Name: mgmt-obj
Cache settings:
cache-edns: enabled
entries: 0
If a DNSPROXY object is created with name "DNSProxyTrust" another cache under dnspoxy is created (Name: DNSProxyTrust).
> show dns-proxy cache all
Name: mgmt-obj
Cache settings:
cache-edns: enabled
entries: 0
<---snip---->
Name: DNSProxyTrust
Cache settings:
max-ttl: 60
cache-edns: enabled
entries: 4
mgmt-obj is for the FQDN address objects and DNSProxyTrust is for the dnsproxy configured on the firewall. Timers :
DNSProxy :
The DNSProxy configuration can be set to honour the TTL value given by the DNS server.
However, if the TTL value is high and if it is needed to limit the TTL value of the URL to a Max value, then it can be set to a lower value.
For example if 120 seconds of TTL for sever-b.com has to changed to a lesser value, say 60 seconds, then it can configured under DNSProxy.
Network > DNS Proxy > DNSProxyTrust > Advanced
If the value is not set, then DNSProxy Max TTL will be set to 86400 Secs. Hence, the TTL given by the DNS server will be honoured.
Name: DNSProxyTrust
Cache settings:
max-ttl: 86400
cache-edns: enabled
entries: 2
Domain IP/Name Type Class TTL Hits
-------------------------------------------------------------------------------------------------------
server-b.com 10.10.10.3 A IN 119 1
If the value is set to 60 Secs, then TTL value of the server-b.com will be reduce to 60 seconds.
Name: DNSProxyTrust
Cache settings:
max-ttl: 60
cache-edns: enabled
entries: 2
Domain IP/Name Type Class TTL Hits
-------------------------------------------------------------------------------------------------------
server-b.com 10.10.10.3 A IN 58 1
FQDN Timers :
The "FQDN Stale Entry Timeout (min)" Timer is used to determine the length of time for which the already resolved IP address for the FQDN can be used in case the DNS servers are not reachable. Value 0 will mean that stale FQDN entries will not be used any more.
The "Minimum FQDN Refresh Time (sec)" is used to determine how often the FQDN for the FQDN address object should be refreshed.
Starting from PANOS 9.0 the Minimum of two values namely "Minimum FQDN Refresh Time (sec)" and DNS server provided TTL will be honoured.
If value 0 is used, then only the DNS server supplied TTL will be used for the refresh of the FQDN.
Device > Setup > Services > Settings
This means that if the "Minimum FQDN Refresh Time (sec)" is set to 600 secs and DNS server provide TTL for server-a.com is 120 Secs, then the value of 120 Secs will be used as TTL.
> show dns-proxy cache all
Name: mgmt-obj
Cache settings:
cache-edns: enabled
entries: 3
Domain IP/Name Type Class TTL Hits
--------------------------------------------------------------------------------------------------------
server-a.com 10.10.10.1 A IN 118 2
DNS server on Firewall set to DNSproxy Object :
Once DNS servers on the firewall is set to the DNSproxy object, default FQDN cache (Name: mgmt-obj) is not used anymore.
Device > Setup > Services > Settings > DNS Proxy Object > DNSProxyTrust
Instead, both FQDNs, the ones for which Host A sends DNS request and the FQDN address objects, use the same dnsproxy cache "Name: DNSProxyTrust"
Also for the FQDN configured under Address Objects, the Maximum value among "Minimum FQDN Refresh Time (sec)" under Services and "Time to Live (sec)" under DNS Proxy object (Cache) will be used.
If "Minimum FQDN Refresh Time (sec)" is set to 600 Secs and "Time to Live (sec)" is set to 700 Secs, then the TTL value of 700 Secs will be used.
> show dns-proxy cache all
Name: mgmt-obj
Cache settings:
cache-edns: enabled
entries: 0
Domain IP/Name Type Class TTL Hits
-----------------------------------------------------------------------------------------------------------------------------
Name: DNSProxyTrust
Cache settings:
max-ttl: 700
cache-edns: enabled
entries: 4
Domain IP/Name Type Class TTL Hits
-----------------------------------------------------------------------------------------------------------------------------
server-a.com 10.10.10.1 A IN 689 2
server-b.com 10.10.10.3 A IN 687 2
Note : "mgmt-obj" cache will have no entries any more.
Additional Information
USING FQDN ADDRESS OBJECT WITH DYNAMIC IP FOR POLICIES
HOW TO CONFIGURE DNS PROXY ON A PALO ALTO NETWORKS FIREWALL